-
Notifications
You must be signed in to change notification settings - Fork 0
/
docker-compose.yaml
158 lines (156 loc) · 4.9 KB
/
docker-compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
version: "3.7"
services:
proxy:
image: lights-proxy:latest
build:
context: .
dockerfile: docker/proxy.Dockerfile
hostname: proxy
container_name: lights-proxy
networks:
frontend:
backend:
ports:
- 443:443/tcp
volumes:
- type: volume
source: proxy-logs
target: /usr/local/apache2/logs/
- type: volume
source: proxy-confs
target: /usr/local/apache2/conf/
# See `conf/gen-certs.sh`
- type: volume
source: proxy-certs
target: /usr/local/apache2/certs/
environment:
- LANG=en_US.UTF-8
- TZ=America/Denver
depends_on:
- web
restart: unless-stopped
web:
image: lights-web:latest
build:
context: .
dockerfile: docker/web.Dockerfile
user: light:light
hostname: web
container_name: lights-web
# ports:
# # SECURITY WARNING: The service should be used through a reverse
# # HTTP proxy (e.g. Apache, Nginx) that has SSL/TLS enabled. This
# # will be done at a later time and changed to listen on localhost
# # only.
# - 8000:7000/tcp
networks:
# SECURITY WARNING: This service is in the `backend` network only
# in order to ensure that all communication is done via the proxy
# and encrypted with SSL/TLS.
# frontend:
backend:
environment:
- LANG=en_US.UTF-8
- TZ=America/Denver
# SECURITY WARNING: These provide app-specific info to access the
# database backend. See `app.settings.DATABASE_CONFIG` for more.
# See additional notes in `db` service `environment` entry.
- LIGHTS_HOST
- LIGHTS_PORT
- LIGHTS_DB
- LIGHTS_USER
- LIGHTS_PASSWORD
depends_on:
- db
restart: unless-stopped
db:
image: lights-db:latest
build:
context: .
dockerfile: docker/db.Dockerfile
user: postgres:postgres
hostname: db
container_name: lights-db
command:
# See `conf/gen-certs.sh` and
# https://www.postgresql.org/docs/current/runtime-config.html
-c ssl=on
-c ssl_cert_file=/var/lib/postgresql/certs/postgres.crt
-c ssl_key_file=/var/lib/postgresql/certs/postgres.key
-c hba_file=/var/lib/postgresql/pg_hba.conf
# ports:
# # SECURITY WARNING: Normally, the database backend is expected to
# # remain completely isolated in the `backend` network, but it's
# # being exposed for this demo. This is done for your convenience
# # and allows remote DB administration via `pgAdmin4`; remember to
# # *force* SSL/TLS on client connections on configs, as this exposed
# # port will bypass the reverse HTTP proxy and does not use SSL/TLS,
# # but you still need to protect login credentials. To fully hide
# # the DB service, (e.g. production envs) comment out the `ports`
# # entry and rebuild. Only the `web` service, which is also in the
# # `backend` network, should really get to talk to this service in
# # a real production environment.
# - 8001:5432/tcp
networks:
backend:
volumes:
- type: volume
source: postgres-data
target: /var/lib/postgresql/data/
- type: volume
source: postgres-conf
target: /var/lib/postgresql/
# See `conf/gen-certs.sh`
- type: volume
source: postgres-certs
target: /var/lib/postgresql/certs/
environment:
- LANG=en_US.UTF-8
# Use whatever timezone you want here
- TZ=America/Denver
# SECURITY WARNING: The env vars below are resolved at runtime.
# They must be defined in the host/system Compose is running on[1].
# For documentation on valid keys, see docs[2]. If password is not
# set, Postgres sets up a password-less database, b/c this is done
# before running included init scripts.
#
# This is for the super user/role. With `POSTGRES_DB` and
# `POSTGRES_USER` unspecified, the default `postgres` is used for
# both.
#
# [1] https://docs.docker.com/compose/compose-file/#environment
# [2] https://hub.docker.com/_/postgres/
- POSTGRES_PASSWORD
# SECURITY WARNING: These provide app-specific database and user/role
# credentials. These must also match in containers that want to
# connect to the database backend (e.g. `web` service).
- LIGHTS_DB
- LIGHTS_USER
- LIGHTS_PASSWORD
restart: unless-stopped
volumes:
postgres-data:
driver: local
name: lights-db-data
postgres-conf:
driver: local
name: lights-db-confs
postgres-certs:
driver: local
name: lights-postgres-certs
proxy-logs:
driver: local
name: lights-proxy-logs
proxy-confs:
driver: local
name: lights-proxy-conf
proxy-certs:
driver: local
name: lights-proxy-certs
networks:
frontend:
driver: bridge
name: lights-frontend
backend:
driver: bridge
name: lights-backend